2 cissp ® Official Study Guide Eighth Edition

40
Chapter 1 
■
Security Governance Through Principles and Policies
working with an external service, be sure to review any 
service-level agreement (SLA)
to 
ensure that security is a prescribed component of the contracted services. This could include 
customization of service-level requirements for your specific needs.
Here are some excellent resources related to security integrated with acquisition:
■
Improving Cybersecurity and Resilience through Acquisition. Final Report of the 
Department of Defense and General Services Administration, published November 
2013 (
www.gsa.gov/portal/getMediaData?mediaId=185371
)
■
NIST Special Publication 800-64 Revision 2: Security Considerations in the System 
Development Life Cycle (
http://csrc.nist.gov/publications/nistpubs/800-64-
Rev2/SP800-64-Revision2.pdf
)
Summary
Security governance, management concepts, and principles are inherent elements in a 
security policy and in solution deployment. They define the basic parameters needed for a 
secure environment. They also define the goals and objectives that both policy designers 
and system implementers must achieve in order to create a secure solution.
The primary goals and objectives of security are contained within the CIA Triad: 
confidentiality, integrity, and availability. These three principles are considered the most 
important within the realm of security. Their importance to an organization depends on 
the organization’s security goals and requirements and on how much of a threat to security 
exists in its environment.
The first principle from the CIA Triad is confidentiality, the principle that objects are 
not disclosed to unauthorized subjects. Security mechanisms that offer confidentiality offer 
a high level of assurance that data, objects, or resources are not exposed to unauthorized 
subjects. If a threat exists against confidentiality, there is the possibility that unauthorized 
disclosure could take place.
The second principle from the CIA Triad is integrity, the principle that objects retain 
their veracity and are intentionally modified by only authorized subjects. Security mecha-
nisms that offer integrity offer a high level of assurance that the data, objects, and 
resources are unaltered from their original protected state. This includes alterations occur-
ring while the object is in storage, in transit, or in process. Maintaining integrity means the 
object itself is not altered and the operating system and programming entities that manage 
and manipulate the object are not compromised.
The third principle from the CIA Triad is availability, the principle that authorized sub-
jects are granted timely and uninterrupted access to objects. Security mechanisms that offer 
availability offer a high level of assurance that the data, objects, and resources are accessi-
ble to authorized subjects. Availability includes efficient uninterrupted access to objects and 
prevention of denial-of-service attacks. It also implies that the supporting infrastructure is 
functional and allows authorized users to gain authorized access.

Summary 
41
Other security-related concepts and principles that should be considered and addressed 
when designing a security policy and deploying a security solution are privacy, identifica-
tion, authentication, authorization, accountability, nonrepudiation, and auditing.
Other aspects of security solution concepts and principles are the elements of protection 
mechanisms: layering, abstraction, data hiding, and encryption. These are common charac-
teristics of security controls, and although not all security controls must have them, many 
controls use these mechanisms to protect confidentiality, integrity, and availability.
Security roles determine who is responsible for the security of an organization’s assets. 
Those assigned the senior management role are ultimately responsible and liable for any 
asset loss, and they are the ones who define security policy. Security professionals are 
responsible for implementing security policy, and users are responsible for complying with 
the security policy. The person assigned the data owner role is responsible for classifying 
information, and a data custodian is responsible for maintaining the secure environment 
and backing up data. An auditor is responsible for making sure a secure environment is 
properly protecting assets.
A formalized security policy structure consists of policies, standards, baselines, guide-
lines, and procedures. These individual documents are essential elements to the design and 
implementation of security in any environment.
The control or management of change is an important aspect of security management 
practices. When a secure environment is changed, loopholes, overlaps, missing objects, and 
oversights can lead to new vulnerabilities. You can, however, maintain security by system-
atically managing change. This typically involves extensive logging, auditing, and monitor-
ing of activities related to security controls and security mechanisms. The resulting data is 
then used to identify agents of change, whether objects, subjects, programs, communication 
pathways, or even the network itself.
Data classification is the primary means by which data is protected based on its secrecy, 
sensitivity, or confidentiality. Because some data items need more security than others, it is 
inefficient to treat all data the same when designing and implementing a security system. 
If everything is secured at a low security level, sensitive data is easily accessible, but secur-
ing everything at a high security level is too expensive and restricts access to unclassified, 
noncritical data. Data classification is used to determine how much effort, money, and 
resources are allocated to protect the data and control access to it.
An important aspect of security management planning is the proper implementation of a 
security policy. To be effective, the approach to security management must be a top-down 
approach. The responsibility of initiating and defining a security policy lies with upper or 
senior management. Security policies provide direction for the lower levels of the organiza-
tion’s hierarchy. Middle management is responsible for fleshing out the security policy into 
standards, baselines, guidelines, and procedures. It is the responsibility of the operational 
managers or security professionals to implement the configurations prescribed in the secu-
rity management documentation. Finally, the end users’ responsibility is to comply with all 
security policies of the organization.
Security management planning includes defining security roles, developing security 
policies, performing risk analysis, and requiring security education for employees. These 

42
Chapter 1 
■
Security Governance Through Principles and Policies
responsibilities are guided by the developments of management plans. The security manage-
ment team should develop strategic, tactical, and operational plans.
Threat modeling is the security process where potential threats are identified, catego-
rized, and analyzed. Threat modeling can be performed as a proactive measure during 
design and development or as a reactive measure once a product has been deployed. In 
either case, the process identifies the potential harm, the probability of occurrence, the 
priority of concern, and the means to eradicate or reduce the threat.
Integrating cyber security risk management with supply chain, acquisition strategies, 
and business practices is a means to ensure a more robust and successful security strategy 
in organizations of all sizes. When purchases are made without security considerations, the 
risks inherent in those products remain throughout their deployment life span.
Exam Essentials

Download 19,3 Mb.

Do'stlaringiz bilan baham: